From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C4823F50 for ; Mon, 22 Jan 2018 19:21:35 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-it0-f50.google.com (mail-it0-f50.google.com [209.85.214.50]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3031E271 for ; Mon, 22 Jan 2018 19:21:35 +0000 (UTC) Received: by mail-it0-f50.google.com with SMTP id p124so10973182ite.1 for ; Mon, 22 Jan 2018 11:21:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream.io; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3m6fTtdZGDEEQTt+44s1x/Ch8FbnFqPK1YXi0uTjw0w=; b=EruVDp/7bSi+4Ge4w5m5RGVYlyRn2QJSbnF22c/Sj+uC1NLxZWJVOHCwlMaUnUO7sF H9615SWGMhMvlhrGHTpYm9zJTzBjCtkBau/5QC+5QjAPe3su/Y54FIa2kP8GWaBd2pRi TTF5VSsNELmXTclHk7i7yzi9oNzQaxqhoPJZw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3m6fTtdZGDEEQTt+44s1x/Ch8FbnFqPK1YXi0uTjw0w=; b=dTG6cGXpDUMHqIy2SVwZh6mXVuBphKWFQC48xNLLYWV8AdALsXBMuuiZE94T3oMUc3 0uZQRbTARoSRc3SMJuYVyN72Z2vZwi3OmWSxd6IStpoNMTXvE9n8avrs6Y1yyu3Mhpbr hO+Y79Eh/3wVBPYpA7EPHBudVRu2daF5guuXR7ChoDZh1AHa42fgAEpvAzrbqufWo2cn b67w14mR85tvWPMOOfcG2uzknXoQ9bafzu9WoWiDHVl8sZ8wX08f7SiLYdfXoK1eWtwC RlROLMhtbj7N3kpFQ03r6ICcwL/EDHJZRgqSPmhGKWD/mkwrOL2vIS250SybQ70AcKOc I3fQ== X-Gm-Message-State: AKwxyteVSQ1nP4hTfMxsrfo0Z5ffmQODYFphSQTjkhSpoVdDHcKY8w13 0Z2kkA3GvMg2a8l2Ma7+1i65JZL5oFJL4MrtLpfTXjelW08= X-Google-Smtp-Source: AH8x224XaOE8xs8N7/GPCoXNVftaawnsKIK2q3MV7QDT6PcANoB/aHfP/zY3sDWqHtltN2zcf/o+lLb672PSNE1ZzGQ= X-Received: by 10.36.215.69 with SMTP id y66mr9574735itg.10.1516648894395; Mon, 22 Jan 2018 11:21:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.120.10 with HTTP; Mon, 22 Jan 2018 11:21:14 -0800 (PST) In-Reply-To: References: <51280a45-f86b-3191-d55e-f34e880c1da8@satoshilabs.com> <4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com> From: "Russell O'Connor" Date: Mon, 22 Jan 2018 14:21:14 -0500 Message-ID: To: Gregory Maxwell , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="94eb2c0afc44999db005636256e7" X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Mon, 22 Jan 2018 20:11:35 +0000 Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2018 19:21:35 -0000 --94eb2c0afc44999db005636256e7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Jan 18, 2018 at 1:58 PM, Gregory Maxwell via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Thu, Jan 18, 2018 at 4:59 PM, Ond=C5=99ej Vejpustek > wrote: > >> If being secure against partial share leakage is really part of your > >> threat model the current proposal is gratuitously insecure against it. > > > > I don't think that is true. Shared secret is an input of KDF which > > should prevent this kind of attack. > > My post provided a concrete example. I'd be happy to answer any > questions about it, but otherwise I'm not sure how to make it more > clear. > > > Actually, we've been considering something like that. We concluded that > it is to much "rolling your own crypto". Instead of diffusion layer we > decided to apply KDF on the shared secret. > > > Quite the opposite-- a large block cipher is a standard > construction... and the off-label application of a KDF that you've > used here doesn't provide any protection against the example I gave. > At this point, is it better just to use GF(2^256+n)? Is GF(2^256+n) going to be that much slower than GF(2^8) that we care to make things this complicated? (I honestly don't know the answer.) --94eb2c0afc44999db005636256e7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On T= hu, Jan 18, 2018 at 1:58 PM, Gregory Maxwell via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
On Thu= , Jan 18, 2018 at 4:59 PM, Ond=C5=99ej Vejpustek
<ondrej.vejpustek@sa= toshilabs.com> wrote:
>> If being secure against partial share leakage is really part of yo= ur
>> threat model the current proposal is gratuitously insecure against= it.
>
> I don't think that is true. Shared secret is an input of KDF which=
> should prevent this kind of attack.

My post provided a concrete example. I'd be happy to answer any<= br> questions about it, but otherwise I'm not sure how to make it more
clear.

> Actually, we've been considering something like that. We concluded= that it is to much "rolling your own crypto". Instead of diffusi= on layer we decided to apply KDF on the shared secret.


Quite the opposite-- a large block cipher is a standard
construction... and the off-label application of a KDF that you've
used here doesn't provide any protection against the example I gave.

At this point, is it better just to use= GF(2^256+n)?=C2=A0 Is GF(2^256+n) going to be that much slower than GF(2^8= ) that we care to make things this complicated?=C2=A0 (I honestly don't= know the answer.)
--94eb2c0afc44999db005636256e7--